1. Field of the Invention
The present invention relates to a computer program product, method and system for dynamically providing algorithm-based password/challenge authentication.
2. Description of the Related Art
Daily life requires the use of a wide variety of information devices, such as mobile phones, personal computers, notebook computers, and tablet computers. The information devices may keep users' personal data and identity data. Due to the prevalence of networks, an increasing number of network functions are performed on-line. In particular, servers have to store users' personal data and identity data in order to provide network services, such as social networking services, webpage/email services, mobile commerce services, banking on-line transaction services, database access services, or content and information provider services. Hence, to ensure security and privacy, the servers usually require that, before accessing the services provided by the servers, users have to follow an authentication procedure for recognizing the users' identity. At present, the commonest authentication procedure is a password-based challenge authentication procedure whereby a server typically requires that, before accessing its services, users ought to enter a username and a password for identity recognition (or known as “login”), in order to prevent user personal data from being stolen or fraudulently changed.
With network coverage and accessibility increasing rapidly, hackers are becoming more likely to target a user's password with a view to faking the user's identity. Therefore, simple passwords no longer provide adequate protection. For this reason, various mechanisms are put forth to provide better protection. For example, users are required to create a password that meets the requirements of password length, complexity, and unpredictability, such that the strength of the password is sufficient to fend off brute-force search attacks and dictionary attacks. Furthermore, users are required to change their passwords regularly to invalidate old passwords, thereby reducing the chance that their passwords will be cracked. The aforesaid mechanisms enhance security and thus help users protect their accounts.
However, referring to FIG. 1, a client end 100 requests access to different web services and an authentication procedure of a username/password 102 provided by website A 110, website B 120, and website C 130 through a network 140 by means of a challenge 101. In practices, most users usually use different usernames/passwords to log in website A 110, website B 120, and website C 130, respectively. The mechanisms require users to memorize passwords for accessing the web services of different websites, respectively. Furthermore, users usually log in a small number of websites on a daily basis, and thus are unlikely to memorize accurately the passwords of those websites which are seldom visited by them. Because of this, they have to guess the rarely-used passwords, not to mention that their accounts would be locked out after incorrect password entries.
Therefore, there is a need in the art to assist users in memorizing troublesome passwords while ensuring security. A solution lies in conventional one-time password (OTP) technology. However, OTP technology can provide passwords to users only when additional technology is accessible. In most circumstances, OTP technology requires an electronic device. Chances are the electronic device will get lost, and thus present the risk of losing the passwords. Furthermore, it is unlikely for an organization to share its OTP generation mechanism with another organization. Thus, to access web services provided by different websites, a user has to use different electronic devices. Therefore, users have to carry multiple portable electronic devices, thereby adding to a risk of loss.
Another solution is provided by a password hint mechanism. However, the mechanism works at the cost of undermining password security, because unauthorized persons can also see the password hint and therefore help a hacker crack the password.
Furthermore, the mechanism is not effective in giving an appropriate password hint to a complicated password. Therefore, sensitive systems nowadays seldom use the mechanism.
There are numerous conventional methods of password-based challenges for providing better protection. Examples are Patent Cooperation Treaty (PCT) Publications WO 2006/020096 and, WO 2002/017556, U.S. Pat. Nos. 5,841,871 and 6,094,721, and U.S. Patent Pub. No. 2007/0011724.